Re: [TLS] Breaking into TLS to protect customers

Carl Mehner <> Thu, 15 March 2018 16:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 15ED012D7F0 for <>; Thu, 15 Mar 2018 09:58:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cucgxoqZT3Ya for <>; Thu, 15 Mar 2018 09:58:55 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ACD64126D73 for <>; Thu, 15 Mar 2018 09:58:55 -0700 (PDT)
Received: by with SMTP id w197so3815038vkw.3 for <>; Thu, 15 Mar 2018 09:58:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=cem; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Px1ABpi6vupXHZjHbcKCo/YuFO0IDmLuCUmnNChmBBg=; b=eYNGsCjSWPCKOXp9kklikXn0x4gXpfTw5ArgzKierXIpc4mh++ss/9MiBh+pRjne/l T72Tm+Rg0fgTCOBxS+n8BIe7wxTfYgeG13D/QPbboBep+GA5Gux6MoxnA7r55/i2BccR eJAWjU0MVhk97gjjmnvf8t0iIZSjhZdIkpgz4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Px1ABpi6vupXHZjHbcKCo/YuFO0IDmLuCUmnNChmBBg=; b=PvEIzN08QFv+kRToVrL1GEdCzpUylzAF32hQvisWAo0DK6XBn3UL418F6Q/+EoyuZg KIIuytjL3h4KkZs9bSbmi7Vw7bnIUzY/Rxk5IfyJitbsRYVqAs4cUEUn7pTY5sHDD/sM VkWopvTVR9qOIdrx1ZaXgK1a52ELdtj0hD07pTV+9OThhlIM6LPs6yTzAlzTsLrcOg3N 7+xVbsKPKV/k6OIbWIIN79SYBQ+oeWXMvIBtqGr7nlPhq3HUArSm78pElLZVyvtm65Xg Z/4+6nxGOPM29FioQmyd/cIEzNlT5RwtT5CN2j5t+pCcMZ0Mmuk4X5WQ/Zd4TwJCO6D4 5fFQ==
X-Gm-Message-State: AElRT7EWJdLQXrMf/157tQaPTZfrKN+vSPpLDOk+RpAqrljdXYoZAHm9 L4xURtWT0jUqRQ94xM7000Ax7Y7ZFZG8uN4FrUcLRZI1yi0=
X-Google-Smtp-Source: AG47ELv1Q8P1U/M5DUm6K/QXcD4msSi6SxDzkCDYTWN+aG0XP1yGfdeVevyB/0kBH8pAI59JLoYrcrrV4HQzEYYUoAs=
X-Received: by with SMTP id y191mr1766028vkc.57.1521133134272; Thu, 15 Mar 2018 09:58:54 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 15 Mar 2018 09:58:53 -0700 (PDT)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <> <>
From: Carl Mehner <>
Date: Thu, 15 Mar 2018 11:58:53 -0500
Message-ID: <>
To: Kathleen Moriarty <>
Cc: Ion Larranaga Azcue <>, "" <>
Content-Type: multipart/alternative; boundary="94eb2c1494ac1ff0fa05677668f1"
Archived-At: <>
Subject: Re: [TLS] Breaking into TLS to protect customers
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 15 Mar 2018 16:58:57 -0000

On Thu, Mar 15, 2018 at 9:59 AM, Kathleen Moriarty <>; wrote:
> I think what Yoav is referring to by detecting BOTS within the
> network, is really so called advance persistent threat (APT) actors
> that are moving around the internal network leveraging existing access
> rights of compromised accounts and privilege escalation
> vulnerabilities.  These might be detectable with 'visibility'.
> Patterns and behavior might be used to detect the APT use case whether
> or not encryption protects the stream, but it is more difficult.

Yes, they might, however, the best place for malware detection is on the
edge (which is out of scope for "in the Datacenter" type connections) and
the endpoint, where an agent is able to run that does not need to 'break
in' to the TLS session. Yes, the Fenter draft talks about how malware
endpoints can be anywhere in the network, and that they can delete logs as
a reason to require out of band network decryption. However, if "breaking
TLS" becomes an effective malware mitigation means, more malware makers may
move to using app-level encryption (as some already have). Therefore, the
conclusion we can draw is that malware is not a reasonable reason requiring
this enhanced "visibility".